Home / Blogs

FISMA Failings: Could EPA's IT Defense Deficiencies Silence the Agency?

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.

"EPA's deployment of a SIEM tool did not comply with Agency requirements for deploying IT investments."

"EPA does not have a computer security log management policy that complies with federal requirements."

"EPA did not follow up with staff to confirm that corrective actions were taken to address known information security weaknesses. ... Office of Management and Budget Circular A-123, 'Management Accountability and Control,' states managers are responsible for taking timely and effective actions to correct identified deficiencies."

— EPA, Office of Inspector General, "Improvements Needed in EPA's Network Security Monitoring Program," Report No. 12-P-0899, September 27, 2012

A report from EPA's Office of Inspector General found serious deficiencies in EPA's network security. These shortcoming raise concern about the integrity of agency data. Specifically, the report states that EPA's Office of Environmental Information

"which is responsible for securing EPA's network from internal and external exploits, has not developed a process to verify that known weaknesses have been addressed. As a result, known vulnerabilities remained unremediated and key steps to resolve those weaknesses remain unaddressed, which could leave EPA information exposed to unauthorized access.” [Emphasis added]

The Harms From Unauthorized Access to EPA Data

The possibility of unauthorized access to EPA information raises an array of concerns since EPA-held data includes various types of Confidential Business Information, scientific research data, environmental databases, agency plans for responding to "incidents of national significance” and other security-related matters, and environmental monitoring data used in regulatory enforcement actions. Thus, the dangers from unauthorized access to EPA data range from disclosure of sensitive business information to the alteration/manipulation of environmental data so as to trigger, or not trigger, an investigation or enforcement action.

EPA has been warned before about their security shortcomings. One section of the OIG report is titled, "EPA Did Not Address Recommendations From Internal Reviews." The OIG found that EPA did not act on three separate analyses of the agency's information security, including one by Carnegie Mellon's Computer Emergency Response Team (CERT) Program and one by Booze Allen Hamilton that provided recommended steps for cyber security improvements. One of the Booze Allen recommendations noted by the OIG was that "EPA must adopt automated tools to achieve continuous monitoring for threats."

It is worth noting that EPA's continuous monitoring practices are at sharp variance with the Best Practice Principles developed by the Center for Regulatory Effectiveness (CRE). In its study of Information Security Continuous Monitoring Best Practices, CRE found that agencies need security professionals who are trained to take advantage of the capabilities of advanced software tools.

The OIG, however, found that EPA's Technology and Information Security Staff "did not develop a structured training plan to use with the SIEM tool" and "Without a structured training curriculum, users' needs are not being met and the continued use of the SIEM tool by EPA's information security staff will be of limited value in performing information security activities."

The importance of continuous monitoring to agency cybersecurity should not be underestimated. As the report succinctly states, "Continually monitoring network threats through intrusion detection and prevention systems and other mechanisms is essential."

Information Security: A Data Quality Act Requirement

The Data Quality Act (DQA) sets quality standards for virtually all information disseminated by Executive Branch agencies. The Office of Management and Budget's government-wide Information Quality Guidelines state, "Agencies are directed to develop information resources management procedures for reviewing and substantiating (by documentation or other means selected by the agency) the quality (including the objectivity, utility, and integrity) of information before it is disseminated." [Emphasis added]

OMB's binding guidelines define "integrity" as referring "to the security of information — protection of the information from unauthorized access or revision, to ensure that the information is not compromised through corruption or falsification." The guidelines state that "agencies may rely on their implementation of the Federal Government's computer security laws...to establish appropriate security safeguards for ensuring the 'integrity' of the information that the agencies disseminate."

In EPA's case, however, the OIG report makes clear that the agency is not in compliance with essential elements of the federal security requirements and these lapses "could leave EPA information exposed to unauthorized access."

The question becomes, how can EPA continue to substantiate the integrity of its information under the DQA given the serious problems with its intrusion detection capabilities and non-compliance with federal IT security requirements?

The question is not a trivial one. If the agency cannot substantiate the integrity — the cybersecurity — of data in its possession, it can't by law disseminate that data or information based on that data. EPA could find itself silenced on key issues where its voice is needed.

It is important to recognize that the DQA requirements are not minor technicalities that can be ignored. Instead, the statue establishes the right of affected persons the right to "seek and obtain" correction of information not meeting quality standards — including the integrity standard. Thus, an agency study or report could be subject to challenge under the DQA on the grounds that the underlying data may have been corrupted.

Agency reports, studies and other information disseminations may be used in rulemakings, act as warnings regarding certain types of products, and/or be used in litigation. Thus, affected persons have a significant incentive to seek and obtain retraction of any study based on altered/tampered data. They also have the legal tools.

The concept of "informational standing," i.e., the right of affected persons to seek judicial review of a harmful, non-regulatory federal information disseminations, is well established in case law.

Moreover, the US Court of Appeals for the DC Circuit has explained that OMB's guidelines implementing the DQA are "binding" and in doing so cited the Supreme Court's Mead decision regarding rules carrying the force of law. It is noteworthy that the DC Circuit refused to modify their Opinion even after its primary implication, that DQA decisions are subject to judicial review, became clear and the subject of a Justice Department petition.

Thus, the cyberinsecurities identified by the EPA OIG have wide ranging environmental and legal ramifications. The most important lesson that can be drawn from the OIG report, however, a lesson applicable to all federal organizations, is that cybersecurity is not merely an internal housekeeping matter, it is the underpinning of every agency's ability to carry out their mission.

By Bruce Levinson, SVP, Regulatory Intervention - Center for Regulatory Effectiveness

Related topics: Data Center, Law, Policy & Regulation, Security



Recent DOE OIG Also Raises Concern About Integrity of Agency Information Bruce Levinson  –  Nov 14, 2012 11:45 AM PDT

A recent OIG report on the Department of Energy's unclassified systems cyber security highlight cyber defense weaknesses, including in continuous monitoting, that could allow for unauthorized access to and manipulation of Departmental data. 

As the report explains, without "implementation of effective continuous monitoring practices and adopting processes to ensure security controls are in place and operating as intended, there is an increased risk of compromise and/or loss, modification and non-availability of the Department's systems and the information."

The complete DOE report is available here on the Center for Regulatory Effectiveness' FISMA Focus IPD.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?