The U.S. Environmental Protection Agency (EPA) lacks the internal controls necessary to make risk-based decisions for the security of its budget systems, a report from the Office of the Inspector General (OIG) found.
According to the report, the Office of the Chief Financial Officer (OCFO) found that the agency requires security controls for the Budget Automation System (BAS). Additionally, the OCFO did not test all of the EPA’s security controls in the OIG’s fiscal year 2017 sample.
“Testing security controls enables organizations to identify vulnerabilities in their systems,” the report said. “Finding these vulnerabilities in a timely manner would allow the EPA to promptly remediate any weaknesses that impact the safety of its systems.”
The OIG also found that the OCFO didn’t assign and document responsibility for testing BAS security controls correctly and that it “did not review [Budget Formulation System] security reports in a timely manner or document the results of these reviews.”
The OIG recommended that the OCFO update the BAS reporting plan to clearly define who is responsible for documenting BAS testing, as required by the National Institute of Standards and Technology. Also, OIG recommended that OCFO stand up a “process for obtaining and documenting the timely review of all BAS and [Budget Formulation System] security reports.”
EPA agreed with both recommendations and provided evidence for already having completed the first recommendation with the second pending resolution.