Configuration management deficiencies put EPA at risk
Administrators for the Environmental Protection Agency’s networks must focus on improving its configuration management program, according to a recent report from the agency’s inspector general.
“The lack of a fully developed Configuration Management program places the EPA’s network at a greater risk of being compromised,” the EPA Office of Inspector General reported.
Investigators recommended that EPA promptly address deviations red-flagged by scans, keep track of baseline scans of servers and network appliances, and promptly and securely put in patches.
In its report last year, the OIG made similar recommendations after finding deficiencies in EPA’s configuration management. The OIG also listed configuration management as one of several areas needing improvements in a 2012 report. Under the Federal Information Security Management Act, agencies’ inspectors general must evaluate information security programs and practices each year.
“The agency needs to make improvements in its Configuration Management program,” EPA Inspector General Arthur Elkins Jr. wrote in a memo to agency Administrator Gina McCarthy.
EPA spokeswoman Liz Purchia said in a statement to FedScoop that the Office of Environmental Information has reviewed the report and will continue to work to address the highlighted concerns.
“Over the past year, OEI has worked closely with the OIG to address noted concerns on the Fiscal Year 2013 annual Federal Information Security Management Act (FISMA) report and other OIG reports,” Purchia said. “According to the annual FISMA report, OEI has significantly improved in the areas of Risk Management and Contractor Systems.”
The agency will continue to address configuration management challenges, she said