Advertisement

EPA watchdog finds lack of IT systems inventory, software asset management data

The Office of Inspector General audit offered recommendations on how the agency should address its software management needs.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
The Environmental Protection Agency's logo is displayed on a door at its headquarters on March 16, 2017, in Washington, D.C. (Photo by Justin Sullivan/Getty Images)

The Environmental Protection Agency lacks a complete and accurate inventory of its information systems and software asset management data, according to the agency’s Office of Inspector General. 

In an audit released Tuesday on the EPA’s 2024 compliance with the Federal Information Security Modernization Act (FISMA), the OIG found that the agency is unable to ensure the completeness and accuracy of its systems inventory without having validation of IT systems inventory data. Additionally, the watchdog said the EPA needs to update and maintain its software license inventory to address the lack of accountability for and visibility of software installed on the agency’s network. 

OIG pointed to an Office of Management and Budget statute in its report, which states that agency heads have to ensure that their agencies maintain information security protections that are “commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of (1) information collected or maintained by or on behalf of an agency or (2) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. “

OIG recommended that the EPA’s mission support administrator develop and implement procedures for validating system inventory data received by region and program senior information officials. The administrator should also create procedures to coordinate software purchase data in the software asset data management tool with installations, the watchdog recommended. 

Advertisement

OIG pointed to a special publication from the National Institute of Technology and Standards that discusses security and privacy controls for systems and organizations, which states that “each agency should develop and update an inventory of organizational systems.”

The NIST document also suggests that agencies review and update the inventory on a frequency that the organization defines, and the agency’s chief information security officer must validate CyberScope report content submitted to OMB that includes FISMA systems’ inventory numbers.

The watchdog also suggested that EPA document the software asset management tool’s designation as the system of records for the agency’s enterprise asset management. Additionally, senior information officials and relevant IT personnel should be made aware of that designation. 

The agency software asset management tool doesn’t contain complete and accurate software license data to comply with both NIST and agency requirements. 

“According to agency personnel, this oversight occurred because the agency’s software procurement process does not require inputting purchase record information into the … tool,” the report states. “Additionally, agency personnel stated that the EPA has not designed a specific … tool as the system of record for software license data.”

Advertisement

Without a “complete and accurate inventory of software licenses,” the EPA risks “excessive spending on duplicative or unnecessary licenses,” per the report.

Caroline Nihill

Written by Caroline Nihill

Caroline Nihill is a reporter for FedScoop in Washington, D.C., covering federal IT. Her reporting has included the tracking of artificial intelligence governance from the White House and Congress, as well as modernization efforts across the federal government. Caroline was previously an editorial fellow for Scoop News Group, writing for FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. She earned her bachelor’s in media and journalism from the University of North Carolina at Chapel Hill after transferring from the University of Mississippi.

Latest Podcasts