The U.S. Environmental Protection Agency is lagging behind on cybersecurity, according to a recent report published by the Government Accountability Office.
Released Monday, the 41-page report claims EPA, which houses a wealth of the nation’s environmental data, failed to update and secure several of its networks, devices, software and systems.
“The agency did not fully implement access controls, which are designed to prevent, limit and detect unauthorized access to computing resources, programs, information and facilities,” noted the GAO report.
As a result, the GAO said EPA was “jeopardizing the agency’s ability to sufficiently protect the confidentiality, integrity and availability of its information and systems.”
Under the Federal Information Security Management Act (FISMA), each agency is required to establish and implement an information security program, assessing risks and creating policies and procedures to secure federal systems.
While EPA does have a FISMA-based plan in place, the GAO said it had “not yet fully implemented its agency-wide information security program to ensure that controls are appropriately designed and operating effectively.”
And as EPA digests the lashing and its list of recommendations, another agency is also catching heat for its cyber vulnerabilities.
According to the NASA Office of Inspector General (OIG), the space agency’s Security Operations Center (SOC), which heads up IT security, had failed to monitor all of NASA’s computer networks.
“Even though networks we reviewed had their own incident management program that included network monitoring… the networks’ management programs do not provide the centralized continuous monitoring coverage afforded by the SOC,” advised the OIG in a brief overview of the classified cyber audit.
While the OIG’s cybersecurity recommendations were not disclosed in the report, the inspector general’s office said Linda Cureton, the agency’s chief information officer, had reviewed the plan and was prepared put its new procedures into place.